Oracle said the vulnerability affects Oracle PeopleSoft PeopleTools and may also affect PeopleSoft Enterprise Applications customers. The company said the flaw is remotely exploitable without authentication and, if successfully exploited, can result in remote code execution. Remote code execution means an attacker can run commands or code on a vulnerable system rather than merely view information.
Google's report identified the activity as UNC6240, also known as ShinyHunters, and said the campaign targeted PeopleSoft application infrastructure. Google said the activity was consistent with exploitation of CVE-2026-35273, a critical vulnerability in the Environment Management component with a CVSS score of 9.8. CVSS is an industry scoring system for vulnerability severity, with 10 as the highest base score.
SecurityWeek reported that the issue affected PeopleTools 8.61 and 8.62, which are used by PeopleSoft Enterprise Applications. PeopleSoft is often deployed for internal administrative systems rather than public consumer services, so exposure can be less visible to customers while still involving sensitive organisational records.
SecurityWeek reported that Oracle released an out-of-band alert and recommended mitigations, while noting that Oracle's public advisory did not itself say the vulnerability had been exploited in the wild. That distinction matters: the exploitation claim comes from Google/Mandiant and other security researchers, while Oracle's advisory establishes the affected product, severity, unauthenticated exploitability and recommended action.
The operational risk is high because PeopleSoft commonly holds human-resources, payroll, student and finance data. The Hacker News reported that higher education was a major target group, and Google said it had notified more than 100 organisations with exposure indicators tied to the campaign. Those victim-count and sector claims should be treated as researcher and media reporting unless individual organisations confirm breaches.